Table of Contents
Fetching ...

Rhea: Detecting Privilege-Escalated Evasive Ransomware Attacks Using Format-Aware Validation in the Cloud

Beom Heyn Kim, Seok Min Hong, Mohammad Mannan

TL;DR

Rhea tackles privilege-escalated evasive ransomware (PEER) by moving beyond I/O-pattern and entropy-based detection to Format-Aware Validation (FAV), which enforces file-format invariants as correctness constraints. The cloud-offloaded architecture uses mutation snapshots and a four-stage detection pipeline—Delta Extraction, Sliding Adaptive Window Analysis, Block-to-File Mapping, and FAV—to localize and validate potentially encrypted regions. Across structured formats (TXT, PDF, OOXML, ZIP) and real-world ransomware, Rhea achieves near-perfect detection while maintaining practical runtimes, significantly outperforming traditional statistical detectors under fine-grained partial encryption. The approach is resilient to privilege escalation by isolating analysis in the cloud and leveraging file-format specifications, with discussion of format limitations and potential extensions to address evolving threats and exfiltration strategies.

Abstract

Ransomware variants increasingly combine privilege escalation with sophisticated evasion strategies such as intermittent encryption, low-entropy encryption, and imitation attacks. Such powerful ransomware variants, privilege-escalated evasive ransomware (PEER), can defeat existing solutions relying on I/O-pattern analysis by tampering with or obfuscating I/O traces. Meanwhile, conventional statistical content-based detection becomes unreliable as the encryption size decreases due to sampling noises. We present Rhea, a cloud-offloaded ransomware defense system that analyzes replicated data snapshots, so-called mutation snapshots. Rhea introduces Format-Aware Validation that validates the syntactic and semantic correctness of file formats, instead of relying on statistical or entropy-based indicators. By leveraging file-format specifications as detection invariants, Rhea can reliably identify fine-grained and evasive encryption even under elevated attacker privileges. Our evaluation demonstrates that Rhea significantly outperforms existing approaches, establishing its practical effectiveness against modern ransomware threats.

Rhea: Detecting Privilege-Escalated Evasive Ransomware Attacks Using Format-Aware Validation in the Cloud

TL;DR

Rhea tackles privilege-escalated evasive ransomware (PEER) by moving beyond I/O-pattern and entropy-based detection to Format-Aware Validation (FAV), which enforces file-format invariants as correctness constraints. The cloud-offloaded architecture uses mutation snapshots and a four-stage detection pipeline—Delta Extraction, Sliding Adaptive Window Analysis, Block-to-File Mapping, and FAV—to localize and validate potentially encrypted regions. Across structured formats (TXT, PDF, OOXML, ZIP) and real-world ransomware, Rhea achieves near-perfect detection while maintaining practical runtimes, significantly outperforming traditional statistical detectors under fine-grained partial encryption. The approach is resilient to privilege escalation by isolating analysis in the cloud and leveraging file-format specifications, with discussion of format limitations and potential extensions to address evolving threats and exfiltration strategies.

Abstract

Ransomware variants increasingly combine privilege escalation with sophisticated evasion strategies such as intermittent encryption, low-entropy encryption, and imitation attacks. Such powerful ransomware variants, privilege-escalated evasive ransomware (PEER), can defeat existing solutions relying on I/O-pattern analysis by tampering with or obfuscating I/O traces. Meanwhile, conventional statistical content-based detection becomes unreliable as the encryption size decreases due to sampling noises. We present Rhea, a cloud-offloaded ransomware defense system that analyzes replicated data snapshots, so-called mutation snapshots. Rhea introduces Format-Aware Validation that validates the syntactic and semantic correctness of file formats, instead of relying on statistical or entropy-based indicators. By leveraging file-format specifications as detection invariants, Rhea can reliably identify fine-grained and evasive encryption even under elevated attacker privileges. Our evaluation demonstrates that Rhea significantly outperforms existing approaches, establishing its practical effectiveness against modern ransomware threats.
Paper Structure (17 sections, 1 equation, 6 figures, 5 tables, 1 algorithm)

This paper contains 17 sections, 1 equation, 6 figures, 5 tables, 1 algorithm.

Figures (6)

  • Figure 1: Rhea architecture. Rheafrontend periodically generates a mutation snapshot. Then, Rheabackend stores the series of mutation snapshots as long-term immutable backups. With this, Rheaagent conducts deeper analysis to detect ransomware attacks.
  • Figure 2: Rhea's Format-Aware Content-Only Detection Pipeline. Rhea's dual-level detection pipeline takes mutation snapshots as inputs and produces detection results as outputs.
  • Figure 3: Delta Extraction. Rhea computes forward differences of mutated blocks to construct a delta snapshot.
  • Figure 4: Illustration of the SAWA process.
  • Figure 5: Comparison with content-based detection under fine-grained partial encryption. Detection rate as a function of encrypted bytes per write under a fixed skip distance (skip=128) across four file types. FAV (Rhea) remains robust under sparse encryption, while statistical detectors degrade as encryption becomes small and scattered.
  • ...and 1 more figures